Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Alerts: Avaddon Ransomware Attacks IncreasingFBI and Australian Officials Describe the Threat
Attackers are using Avaddon ransomware to target diverse organizations in the U.S., Australia and elsewhere, according to the FBI and the Australian Cyber Security Center.
The agencies warn that an ongoing campaign is hitting manufacturers, airlines, healthcare organizations and others.
Avaddon ransomware, first promoted on Russian-language hacking forums as a ransomware-as-a-service offering, was subsequently used in cybercriminal campaigns, the ACSC says in its recent alert.
The gang behind Avaddon ransomware recently stole SIM card data and banking information in an attack on Schepisi Communications, a service provider to Australian telecommunications company Telstra (see: Ransomware Hits Australian Telecom Provider Telstra’s Partner)
"These are often low in sophistication, containing a threat suggesting the attached file contains a compromising photo of the victim," the Australian agency says. "'Double extortion' techniques are used, such as coercion and further pressure to pay a ransom, including threatening to publish the victim’s data … and threatening the use of DDoS attacks against the victims."
Written in C++, Avaddon encrypts data using a unique AES256 encryption key, the agency reports. During the infection process, Avaddon checks the operating system language and keyboard layouts. If a potential victim’s operating system language is set to specific languages normally used in the Commonwealth of Independent States - formerly part of the Soviet Union - the malware ceases operation without harming the system.
In addition, the operators behind Avaddon apply the GetUserDefaultLCID() function to identify the default geolocation and system language of the user’s device to determine whether the user will be targeted for attack. This technique has also been observed in ransomware campaigns using the MedusaLocker variant, ACSC states.
"TTPs for Avaddon are very similar to those identified in use within the Ako and MedusaLocker ransomware variants, including the use of an embedded public key to perform AES-256 encryption on all file data, as well as using a Windows Scheduled Task to establish persistence," the Australian agency notes.
The FBI says in its alert that attackers using Avaddon ransomware have compromised victims by using remote desktop protocol logins or targeting virtual private networks that are misconfigured or use single-factor authentication.
"After Avaddon actors gain access to a victim’s network, they map the network and identify backups for deletion and/or encryption," the FBI says. "The malware escalates privileges, contains anti-analysis protection code, enables persistence on a victim system and verifies the victim is not located in the Commonwealth of Independent States."
The Avaddon attackers use data leak site avaddongun7rngel[.]onion to identify victims who do not pay ransoms, ACSC says. They demand ransom payment via bitcoin, with an average demand of about $40,000 in exchange for a decryption tool, the Australian agency says.
Security firm Trend Micro first spotted Avaddon ransomware in the wild in February 2020. In June 2020, Trend Micro revealed that the strain is spread as a malicious image file in email attachments. When downloaded, the malware encrypts the files in the victims' devices with the .avdn file extension.
"Users will see that their system desktop's wallpaper has been automatically changed to an image that states 'all your files have been encrypted' and refers to the ransom note," Trend Micro noted.
By October 2020, the Avaddon group was reportedly leveraging distributed denial-of-service attacks against victims to force them to pay the ransom.
To mitigate the threat posed by Avaddon, the FBI recommends:
- Backing up critical data offline and ensuring copies of critical data are in the cloud or on an external hard drive or storage device;
- Securing backups and ensuring data is not accessible for modification or deletion from the system where it resides;
- Using two-factor authentication with strong passwords, especially for remote access services.
- Monitoring cyberthreat reporting regarding the publication of compromised VPN login credentials.